As a practice owner, it’s a challenge just making sure you equip your practice with the hardware and systems needed to perform your business functions effectively. Add HIPAA-compliance to the mix, and it can really keep you up at night. In this post, we’ll explore the three essential layers of protection that need to be in place in order to prevent downtime & work towards HIPAA Compliance: a Managed Firewall, Managed Anti-Virus/Anti-Ransomware, and a Managed Backup System. We’ll also outline the exact HIPAA regulation they satisfy. Lastly, we will explain why this is so important and how to get systems in place for your practice.
Layer 1: Unified Threat Managed Firewall with Active Security Services
The Firewall can be envisioned as your missile defense system. Not only is it actively protecting outside threats and hackers from getting into the network, but it is also scanning each piece of data incoming and outgoing to prevent malicious software from running and wreaking havoc on your system. Active security services are the services that pair with your Firewall (hardware). Features can include Advanced Malware Protection (AMP), Intrusion Prevention, and URL Content Filtering (website restrictions). Typically this also includes unlimited support and updates.
HIPAA Regulation Satisfied:
The active security services along with the Firewall satisfies the HIPAA Security Rule 164.308(a)(4) and the HIPAA Privacy Rule – 164.508 for Accessing Electronic Patient Health Information and Logging.
Layer 2: Managed Anti-Virus/Anti-Ransomware
Let’s say something does get past the Firewall or is introduced to the network, like a USB flash drive. You’ll be relying on the Anti-Virus/Anti-Ransomware software protection in the system to stop, reverse or kill the malicious software ASAP. Viruses want to stay silent and steal information. It is so critical to know what IS and ISN’T on your network. Ransomware is the biggest threat to a dental office these days. It is the most common and one of the most disruptive things that can happen.
HIPAA Regulation Satisfied:
HIPAA Security Rule 164.308(a)(5)(ii)(B) – The protection, detection and reporting of malicious software running on a network and §164.308 – “Administrative Safeguards” (a)5(ii) – “Implementation Specifications” (B) – “Protection from malicious software (Addressable).
Layer 3: The Last Line of Defense – Managed Backup & Disaster Recovery
This should always be considered the last line of defense – if we are using the backup, something catastrophic happened and the office is at a standstill. Money is flying out the door. Three things we always want to hit:
- Local, Frequent, Encrypted Backup
- Off-Site, Encrypted Backup (can be Cloud)
- Verification of those Backups! Do they work?
HIPAA Regulation Met:
164.308(7)(ii) (A) – It’s not optional – All Covered Entities (CEs), including medical practices and Business Associates (BAs), must securely back up “retrievable exact copies of electronic protected health information” (ePHI).
164.308(7)(ii) (B) – Your data must be recoverable – Why else are you backing it up? You must be able to fully “restore any loss of data.”
164.308(7)(ii) (C) – Safeguards must continue in recovery mode – The same set of security requirements that applies under normal business operations must also apply during emergency mode. CEs and BAs cannot let their guard down
164.308(a)(1) – You must get your data offsite – as required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). How could one defend a data backup and disaster recovery plan where stored backup copies of ePHI are in the same location as the original data?
164.308(a)(1)(ii) – You must back up your data frequently – as required by the HIPAA Security Final Rule. In today’s real-time transactional world, a server crash, database corruption, or erasure of data by a disgruntled employee at 4:40 PM would result in a significant data loss event if one had to recover from yesterday’s data backup.
164.312(e)(1)(B) – Encrypt or Destroy. The Health Information Technology for Economic and Clinical Health Act (HITECH) says to encrypt or destroy data at rest to secure it (Section 13402(h) of Title XIII HITECH Act). HIPAA Security Rule says that data being transmitted must be encrypted. Many CEs and BAs fail in this area because tape- or disk-based backups are moved around freely, unencrypted.
And of course, there is always training! Now you may be asking yourself, how can all of this information help me? First, share this information with your IT, or if your IT cannot handle this, go find a group who can. Second, review your HIPAA binder/documentation and make sure everything is accounted for. HIPAA is the mechanism that protects a patient’s health information under your control and sets the systems for how that information is handled/secured. By all accounts, when audited, the Risk Assessment is the first thing requested by Federal/State Auditors. If you would like a free evaluation of your setup, please visit our website’s contact page, and fill out the New Client Questionnaire. Please select OpenDental Blog in the “How did you hear about us” field to receive this free offer.